CIOs Battle Worker Apathy Towards Lost or Stolen Mobile Phones

American workers don't get too worked up about lost or stolen mobile phones -- even if those phones contain company data. A large percentage think it's not their problem and don't change their security practices afterwards. Are CIOs partly to blame for not setting stricter and clearer mobile security policies?

Like spoiled teenagers, American workers are telling their CIO that lost or stolen phones are simply not their fault, not their problem. Corporate data theft is no big deal. It's just a phone, they say. Besides, aren't you responsible for mobile data security?

In a survey of 750 U.S. workers in industries such as banking, retail, healthcare and energy, conducted by Absolute Software in November, there appears to be a general feeling of apathy toward mobile security.

Even if employees leak or lose corporate data, 25 percent of respondents say it's not their problem. Of those who actually lost a phone, 34 percent were not punished, 30 percent had to replace the device and 21 percent simply had a "talkin' to." Given such lackadaisical responses, it's no surprise that one-third of respondents who had lost their phones did not change their security habits afterwards.

Part of the problem is that employees don't really know what's at stake nor do they bother to understand the security portion of the user policy. In the survey, 59 percent estimated the value of the corporate data on their phones to be less than $500 -- although that's hardly the case.

"If we end up on the front of the Fresno Bee because an attorney left his phone at the bar... the damage to your reputation could literally be millions of dollars," CIO Darin Adcock at California-based law firm Dowling Aaron, told CIO.com.

Are CIOs to Blame?

To be fair, CIOs must shoulder some of the blame for workers being uniformed about mobile security user polices, which can get a little dense. One out of four workers doesn't know company procedure for dealing with work device loss or theft, according to the survey. It's a communication problem that's not solely the worker's fault.

Additionally, CIOs say lots of employees will keep looking for a lost phone for weeks and not report it (although the policy says they should) out of fear it'll get wiped and they'll lose personal data. That's also perhaps a problem with the policy in relation to human behavior.

"If firms don't set clear policies that reflect the priority of corporate data security, they can't expect employees to make it a priority on their own," says Tim Williams, mobile enterprise data expert at Absolute Software.

But clear user policies aren't the only way to get employees to pay attention to the dangers of mobile data loss. Paul Luehr, managing director at Stroz Friedberg, a global data risk management company with a cyber-crime lab, told CIO.com that he's seen the fallout from a lack of consequences for poor security at the individual level.

"We think it's a good policy to make sure that security is not just part of an overall HR policy but, especially for some people, it's part of their annual performance evaluation," Luehr says.